From: Dan Brown <redacted>
Date: Sun, 20 May 2018 08:38:27 +0000 (+0100)
Subject: Update session config to match laravel
X-Git-Tag: v0.22.0~1^2~13
X-Git-Url: http://source.bookstackapp.com/bookstack/commitdiff_plain/77727e7e5087f28cb55ebbf2b04402dc6b34c7fa?ds=inline

Update session config to match laravel

Includes option to set secure cookies via env.
Closes #817
---

diff --git a/config/session.php b/config/session.php
index 8d8c14fe9..b334ffb3c 100644
--- a/config/session.php
+++ b/config/session.php
@@ -135,7 +135,7 @@ return [
     |
     */
 
-    'domain' => null,
+    'domain' => env('SESSION_DOMAIN', null),
 
     /*
     |--------------------------------------------------------------------------
@@ -148,6 +148,34 @@ return [
     |
     */
 
-    'secure' => false,
+    'secure' => env('SESSION_SECURE_COOKIE', false),
+
+    /*
+    |--------------------------------------------------------------------------
+    | HTTP Access Only
+    |--------------------------------------------------------------------------
+    |
+    | Setting this value to true will prevent JavaScript from accessing the
+    | value of the cookie and the cookie will only be accessible through
+    | the HTTP protocol. You are free to modify this option if needed.
+    |
+    */
+
+    'http_only' => true,
+
+    /*
+    |--------------------------------------------------------------------------
+    | Same-Site Cookies
+    |--------------------------------------------------------------------------
+    |
+    | This option determines how your cookies behave when cross-site requests
+    | take place, and can be used to mitigate CSRF attacks. By default, we
+    | do not enable this as other CSRF protection services are in place.
+    |
+    | Supported: "lax", "strict"
+    |
+    */
+
+    'same_site' => null,
 
 ];